research-article

Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks

Authors:

Danny Nebenzahl,

Avishai WoolAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 3, Issue 1

Pages 78 - 90

https://doi.org/10.1109/TDSC.2006.14

Published: 01 January 2006 Publication History

Abstract

Stack smashing is still one of the most popular techniques for computer system attack. In this work, we present an anti-stack-smashing defense technique for Microsoft Windows systems. Our approach works at install-time, and does not rely on having access to the source-code: The user decides when and which executables to vaccinate. Our technique consists of instrumenting a given executable with a mechanism to detect stack smashing attacks. We developed a prototype implementing our technique and verified that it successfully defends against actual exploit code. We then extended our prototype to vaccinate DLLs, multithreaded applications, and DLLs used by multithreaded applications, which present significant additional complications. We present promising performance results measured on SPEC2000 benchmarks: Vaccinated executables were no more than 8 percent slower than their un-vaccinated originals.

References

[1]

E.G. Barrantes, D.H. Ackley, S. Forrest, T.S. Palmer, D. Stefanovic, and D.D. Zovi, “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.

Digital Library

[2]

A. Baratloo, N. Singh, and T. Tsai, “Transparent Runtime Defense against Stack Smashing Attacks,” Proc. USENIX Ann. Technical Conf., 2000.

Digital Library

[3]

“Hotfoon Dialer Buffer Overflow Vulnerability,” Bugtraq id 6156, Nov. 2002,

[4]

“Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability,” Bugtraq id 8205, July 2003,

[5]

“Microsoft Windows RegEdit.exe Registry Key Value Buffer Overflow Vulnerability,” Bugtraq id 7411, Apr. 2003,

[6]

“Adding Sections to PE Files: Enhancing Functionality of Programs by Adding Extra Code,” 1999,

[7]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle, “PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities,” Proc. 12th USENIX Security Symp., 2003.

Digital Library

[8]

C. Cifuentes and M. Van Emmerik, “Recovery of Jump Table Case Statements from Binary Code,” Science of Computer Programming, vol. 40, nos. 2-3, pp. 171-188, 2001.

Digital Library

[9]

CERT/cc Statistics 1988-2001, 2002,

[10]

“CERT Advisory CA-2003-16: Buffer Overflow in Microsoft RPC,” July 2003,

[11]

“CERT Advisory CA-2003-20: W32/Blaster Worm,” Aug. 2003,

[12]

“CERT Vulnerability Note VU#579324: Cisco IOS HTTP Server Vulnerable to Buffer Overflow When Processing Overly Large Malformed HTTP GET Request,” 31 July 2003,

[13]

S. Cho, “Windows Disassembler, v0.22,” 2000,

[14]

C. Cifuentes, “Partial Automation of an Integrated Reverse Engineering Environment of Binary Code,” Proc. Working Conf. Reverse Eng., pp. 50-56, 1996.

Digital Library

[15]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” Proc. Seventh USENIX Security Symp., pp. 63-78, Jan. 1998.

Digital Library

[16]

N. Dor, M. Rodeh, and M. Sagiv, “Cleanness Checking of String Manipulations in C Programs via Integer Analysis,” Proc. Eighth Int'l Static Analysis Symp. (SAS), 2001.

Digital Library

[17]

N. Dor, M. Rodeh, and M. Sagiv, “CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C,” Proc. ACM SIGPLAN 2003 Conf. Programming Language Design and Implementation, pp. 155-167, 2003.

Digital Library

[18]

D.C. DuVarney, V.N. Venkatakrishnan, and S. Bhatkar, “SELF: A Transparent Security Extension for ELF Binaries,” Proc. 2003 Workshop New Security Paradigms, pp. 29-38, 2003.

Digital Library

[19]

D. Evans and D. Larochelle, “Improving Security Using Extensible Lightweight Static Analysi,” IEEE Software, vol. 19, no. 1, pp. 42-51, 2002.

Digital Library

[20]

M.W. Eichin and J.A.A. Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988,” Proc. IEEE Symp. Security and Privacy, 1989.

[21]

A.K. Ghosh and T. O'Connor, “Analyzing Programs for Vulnerability to Buffer Overrun Attacks,” Proc. 21st NIST-NCSC Nat'l Information Systems Security Conf., pp. 274-382, 1998.

[22]

G. Hunt and D. Brubacher, “Detours: Binary Interception of Win32 Functions,” Proc. Third USENIX NT Symp., pp. 135-144, 1999.

Digital Library

[23]

M. Howard and D. LeBlanc, Writing Secure Code, second ed. Microsoft Press, 2002.

Digital Library

[24]

“The IDA Pro Disassembler and Debugger,” v4.51, 2003,

[25]

Immunix Secured Solutions, 2003,

[26]

T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang, “Cyclone: A Safe Dialect of C,” Proc. USENIX Ann. Technical Conf., June 2002.

Digital Library

[27]

G.S. Kc, A.D. Keromytis, and V. Prevelakis, “Countering Code-Injection Attacks with Instruction-Set Randomization,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.

Digital Library

[28]

S. Kuo, “Execute Disable Bit Functionality Blocks Malware Code Execution,” White paper, Intel, 2005,

[29]

J.R. Larus and T. Ball, “Rewriting Executable Files to Measure Program Behavior,” Technical Report CS-TR-92-1083, Univ. of Wisconsin, Madison, 25 Mar. 1992.

[30]

K.-s. Lhee and S.J. Chapin, “Type-Assisted Dynamic Buffer Overflow Detection,” Proc. 11th USENIX Security Symp., 2002.

Digital Library

[31]

C. Linn and S. Debray, “Obfuscation of Executable Code to Improve Resistance to Static Disassembly,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.

Digital Library

[32]

R.B. Lee, D.K. Karig, J.P. McGregor, and Z. Shi, “Enlisting Hardware Architecture to Thwart Malicious Code Injection,” Proc. Int'l Conf. Security in Pervasive Computing (SPC-2003), Mar. 2003.

[33]

Microsoft Portable Executable and Common Object File Format Specification, rev. 6.0, 1999,

[34]

“Microsoft Visual C++ Compiler Options: /gs (Control Stack Checking Calls),” Online documentation, 2001,

[35]

G.C. Necula, S. McPeak, and W. Weimer, “CCured: Type-Safe Retrofitting of Legacy Code,” Proc. Symp. Principles of Programming Languages, pp. 128-139, 2002.

Digital Library

[36]

D. Nebenzahl and A. Wool, “Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks,” Technical Report EES2003-9, School of Electrical Eng., Tel Aviv Univ., 2003.

[37]

D. Nebenzahl and A. Wool, “Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks,” Proc. 19th IFIP Int'l Information Security Conf., pp. 225-240, Aug. 2004.

[38]

M. Prasad and T.-c. Chiueh, “A Binary Rewriting Defense against Stack Based Overflow Attacks,” Proc. USENIX 2003 Ann. Technical Conf., 2003.

[39]

“PEDasm: A Symbolic Disassembler for Win32,” 2003,

[40]

G. Richarte, Four Different Tricks to Bypass StackShield and StackGuard Protection, Core Security Tech nologies, 2002,

[41]

O. Ruwase and M. Lam, “A Practical Dynamic Buffer Overflow Detector,” Proc. Network and Distributed System Security (NDSS) Symp., pp. 159-169, Feb. 2004.

[42]

“SecureStack v1.0: Buffer Overflow Protection for Windows NT/2000,” 2001, no longer available, a similar design can be found at

[43]

Solar Designer, “Nonexecutable User Stack,”

[44]

E.H. Spafford, “The Internet Worm Program: An Analysis,” Technical Report CSD-TR-823, Purdue Univ., West Lafayette, IN 47907-2004, 1988.

[45]

SPEC CPU2000 V1.2. Standard Performance Evaluation Corporation, 2000,

[46]

C. Small and M. Seltzer, “MiSFIT: A Tool for Constructing Safe Extensible Systems,” IEEE Concurrency, pp. pp. 33-41, 1998.

Digital Library

[47]

Stackshield, 2000,

[48]

Z. Shao, Q. Zhuge, Y. He, and E.H.-M. Sha, “Defending Embedded Systems against Buffer Overflow via Hardware/Software,” Proc. Ann. Computer Security Applications Conf., 2003.

Digital Library

[49]

D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, “A First Step towards Automated Detection of Buffer Overrun Vulnerabilities,” Proc. Network and Distributed System Security Symp. (NDSS), pp. 3-17, Feb. 2000.

[50]

J. Wilander and M. Kamkar, “A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention,” Proc. 10th Network and Distributed System Security Symp. (NDSS), pp. 149-162, Feb. 2003.

Cited By

Zieris PHorsch JKim JAhn GKim SKim YLopez JKim T(2018)A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow IntegrityProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196531(369-380)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196531
Dang TManiatis PWagner DBao FMiller SZhou JAhn G(2015)The Performance Cost of Shadow Stacks and Stack CanariesProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714635(555-566)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714635
Chen CChen STing WKao CSun H(2015)An enhancement of return address stack for securityComputer Standards & Interfaces10.1016/j.csi.2014.08.00838:C(17-24)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.csi.2014.08.008
Show More Cited By

Index Terms

Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks

Recommendations

Extended Protection against Stack Smashing Attacks without Performance Loss
ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference

In this paper we present an efficient countermeasure against stack smashing attacks. Our countermeasure does not rely on secret values (such as canaries) and protects against attacks that are not addressed by state-of-the-art countermeasures. Our ...
Repairing return address stack for buffer overflow protection
CF '04: Proceedings of the 1st conference on Computing frontiers

Although many defense mechanisms against buffer overflow attacks have been proposed, buffer overflow vulnerability in software is still one of the most prevalent vulnerabilities exploited. This paper proposes a micro-architecture based defense mechanism ...
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns

This article describes three powerful general-purpose families of exploits for buffer overruns: arc injection, pointer subterfuge, and heap smashing. These new techniques go beyond the traditional "stack smashing" attack and invalidate traditional ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 3, Issue 1

January 2006

100 pages

ISSN:1545-5971

Issue’s Table of Contents

Copyright © 2006.

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 January 2006

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zieris PHorsch JKim JAhn GKim SKim YLopez JKim T(2018)A Leak-Resilient Dual Stack Scheme for Backward-Edge Control-Flow IntegrityProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196531(369-380)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196531
Dang TManiatis PWagner DBao FMiller SZhou JAhn G(2015)The Performance Cost of Shadow Stacks and Stack CanariesProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714635(555-566)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714635
Chen CChen STing WKao CSun H(2015)An enhancement of return address stack for securityComputer Standards & Interfaces10.1016/j.csi.2014.08.00838:C(17-24)Online publication date: 1-Feb-2015
https://dl.acm.org/doi/10.1016/j.csi.2014.08.008
Wang XJiang X(2010)Artificial malware immunization based on dynamically assigned sense of selfProceedings of the 13th international conference on Information security10.5555/1949317.1949337(166-180)Online publication date: 25-Oct-2010
https://dl.acm.org/doi/10.5555/1949317.1949337
Tsai CHuang S(2007)Detection and diagnosis of control interceptionProceedings of the 9th international conference on Information and communications security10.5555/1785001.1785043(412-426)Online publication date: 12-Dec-2007
https://dl.acm.org/doi/10.5555/1785001.1785043
Tsai CHuang S(2007)Detection and Diagnosis of Control InterceptionInformation and Communications Security10.1007/978-3-540-77048-0_32(412-426)Online publication date: 12-Dec-2007
https://dl.acm.org/doi/10.1007/978-3-540-77048-0_32

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents